METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, etal. 06816.0036 

1/50 




1 



METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 0681 6.0036 

2/50 



# • • 



+ 



— L 



a a m a Am: 



L 



+ 



U. 



METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 



J.H. Kukula, et al. 



06816.0036 



-si <o 







• • • 






0* 


1 N 

V 




C 






• 
• 

• * • 




or 


« N , 

or 




or 


Oi 5 


v. H, 

0.° 




OP 




N • • • C 



or 



3 * 

CL" 



3 % 

a? 



3 



a 



V) 
0. 



V) 
3 -4- 



METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 



4/50 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 



5/50 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, etal. 06816.0036 

6/50 



F7<sj. H-C 
SSFD 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 



7/50 



FIG. 4-D 
SSRB 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 

8/50 



FIG. 
SURA 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 

9/50 



SSRS 

I 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, etal. 06816.0036 

10/50 



SURS 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 

11/50 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, etal. 06816.0036 



USFD 



12/50 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 

13/50 



USRS 















f? ■ 

fr-r,/-i 

\ 




< • 






P s 


\p s / 












M 

P" / 


P 




I 

/ 










^— J 






P u 


























I 




I 



METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 



FIG. H-K 
UURS 



14/50 




METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 06816.0036 

15/50 



Figure 5A 



1 /* Note that in following declaration "path" is a pseudo data type which is not part 

2 of the C language */ 

3 path approx_path; 

4 /* the "approx_path" of the "path" type is structured into the following 3 main 

5 subparts: 

6 "state_sets" is a matrix organized as follows: 

7 pS pS pS 

' r Q,\ M,l ■" • r max_«me,l 

8 P s P 5 P s 

" 1 0,2 M,2 •" ■ r max_;/me,2 

9 

10 
11 

lO P S P S P S 

r 0,n r \,n " m r max_ttme,n 



ru 13 

m 14 "input_sets" is a matrix organized as follows: 

P 1R pU p u p u 

^ 16 P u P u p s 

lU r 0,2 M,2 ■■■ r rmx_Hme,2 

I* 17 
t 18 

!i; 19 

tf 20 P u P y P u 

]y 0,m ■* l,m •■■ * max_fime,m 

21 

22 "maxjime," is the max time value of state_sets and input sets 

23 7 
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Figure 5B 

1 /* Bidirectional Approximate Reachability Narrowing */ 
2 

3 bidirectional_approx(approx_path) 

4 { 

5 list rev_comps; /* list of reverse image computations to be performed */ 

6 list fwd_comps; /* list of forward image computations to be performed */ 
7 

8 /* the approx_path data type is described above 7 
9 

£ 10 Sets of state for max.time,/^ ^.P^ ume , 2 ,...PL ^ . are initially shrunk 

□ 11 by replacing them with their intersection with E* 9 El,...E s n ; 

ssa 

S 12 

m 13 For each P^_ timeJ shrunken by its intersection with E? schedule it as the 

fU 14 " j" term of any reverse image computations to be performed on its fanin by 

e 15 putting it on rev_comps; 

n n 16 

J 17 /* Main loop whereby overapproximate sets, between start and goal states, 

VI 18 are shrunken 7 

pn 19 while (non_empty?( rev_comps) OR non_empty?( fwd_comps)) 

5 20 { 

ry 21 /* do all rev comps, and all addi rev comps brought up by doing the 

22 existing rev comps, on rev comp list, where list is sorted such that 

23 rev comps, latest in time, are done first 7 

24 for each [Jerm on rev_comps 

25 { 

26 Lterms = statejanin(jjerm); 

27 Merms = input_fanin(j_term); 
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Figure 5C 



for each i_term on i_terms 
{ 

new_i_term = rev_shrink_2pt2(i_term, j_term); 
if empty(new_i_term) then return(no_path_exists); 

if new_i_term < i_term then 
{ 

replace term in approx_path.state_sets, 
corresponding to i_term, with new_i_term; 

newjjerms = revs_triggered?(new_i_term); 

put newj_terms on rev_comps immediately, 
and re-sort rev_comps such that the jjerm's 
continue to be taken in latest time first order; 



new_fwd_comps = 
fwds_triggered?(new_i_term); 



put new_fwd_comps on fwd_comps 
immediately, and re-sort fwd_comps such that 
its terms continue to be taken in earliest time 
first order; 
} /* END if new_i_term < i_term */ 
} /* END for each ijerm on ijerms 7 
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Figure 5D 



for each r_term on rjerms 
{ 

newjrjerm = rev_shrink_2pt3(r_term, Lterm); 
if empty(new_rjerm) then return(no_path_exists); 

if new_r_term < r_term then 
{ 

replace term in approx_path. input _sets, 
corresponding to rjerm, with new__rjerm; 

new_j_terms = revs_triggered?(new_r_term); 

put newj_terms on rev_comps immediately, 
and re-sort rev_comps such that the j_term's 
continue to be taken in latest time first order; 

new_fwd_comps = 
fwds_triggered?(new_r_term); 

put new_fwd_comps on fwd_comps 
immediately, and re-sort fwd_comps such that 
its terms continue to be taken in earliest time 
first order; 
} /* END if new_r_term < r_term 7 
} /* END for each r_Jerm on rjerms 7 
} /* END for each j_term on rev_comps 7 



I 
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1 Figure 6A 

2 
3 

4 /* All calls or process spawnings in the following pseudocode are by value, 

5 meaning that the called routine or spawned process gets its own copy of the 

6 passed parameters. */ 
7 

8 /* DECLARATIONS FOLLOW (note that certain types are "pseudo" data types not 

9 part of the C language) */ 
10 

1 1 int lwr_prio; 

12 int max_prio; 
13 

14 state initial_state; 

h 15 list error_states; 

q 16 list actuaLpath; 

4= 1 7 hash previously_found_states; /* "hash" is a pseudo data type which creates a 

m 18 hash table; previously_found_states is a global hash table where all states 

111 19 generated, beyond initial_state, are kept track of 7 

HJ 20 path approx_path; 

D 21 /* the "approx_path" of the "path" type is structured into the following 3 main 

JL 22 subparts: 

23 "state_sets" is a matrix organized as follows: 

M= 24 ^0,1 ^1,1 "■ Pmax_time,l 

01 25 p s p s p s 

=== r 0,2 M,2 ■•• r mia._time,2 

m 26 
27 
28 

29 P s P s P s 

0,n M,n '■" max_time,n 

30 

31 "input_sets" is a matrix organized as follows: 

qp pU pU pU 

0<C " ^0,1 M,l ■■■ r max_time,] 



33 P 0 ^ < 2 ... P r 

34 
35 
36 

\},m L,m ma 



5 

max_f/m^,2 



max_hme ,m 



38 

39 "max_time," is the max time value of state_sets and input sets*/ 
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Figure 6B 



1 /* INITIALIZATIONS FOLLOW: 7 
2 

3 /* Note that priority decreases as the priority number increases */ 

4 lwr_prio = 1 ; 

5 max_prio = 1 ; 
6 

7 initial_state = s ol ,s 02 ...s 0n ; 

8 error_states = E* ,E S 2 ,...E s n ; 

9 actuaLpath = ( (( s 0l , s 02 ...s 0n ), NULLJnput) ); /* Note that initial state of actual 

y, 10 path is paired with NULLJnput to symbolize that primary input combination to be 

□ 1 1 applied for getting to next state along an error path has not been found yet. */ 




pi: 
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Figure 6C 



1 /* Initial Process */ 
2 

3 approx_path is initialized as follows: 

4 state_sets (each set P 0 * accepts only its corresponding portion of initial 

5 state s 0l ,s 02 ...s Qn ): 

6 P s 

U ^0,1 

7 P s 

' r 0,2 

8 
9 

H- 10 

O 11 P s 
S 12 

£P 13 input_sets (each set P 0 u r accepts any combination of inputs applied to it): 

ly 14 p u 

f U w 

0 15 P y 
p; 1 6 

hs. 18 

yi 19 P' m 

1 20 

iW 21 maxjime is 0 
22 

23 if each partition of initial_state has a non-null intersection with the corresponding 

24 partition of error_states 

25 then return initial_state as being a path to an error and end verification; 
26 

27 else spawn_process( max_prio; forward_approx(approx_path, actual_path) 

28 ) 
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Figure 6D 



/* Foward Approximate Reachability Process */ 
forward_approx(approx_path, actuaLpath) 

Determine P t s v P t s 2 ,...P t s n from P t s _ u ,P t s _ ]2 ,...P t i ln , where each P t s t is 
determined according to the following equation: 

p , S As tJ )=3s,_ Ui ,3s t _ U2 ,..3s,_ Uii ,3u; 

iPf-U, (^-l, fll I P,-U 2 ( Vl, fl2 ), - P t -l,a, (V,, a< ) A 

The functions of the above equation, having been expressed as 
BDDs, are combinable, according to the above operators, according 
to known techniques for BDD manipulation. 

aug_approx_path = approx_path with the additional time step values of 
P^,P, s 2 ,...P, s n added to state_sets, and maxjime incremented by 1; 

spawn_process( local_prio () + lwr_prio; forward_approx(aug_approx_path, 
actuaLpath) ); 

/* locaLprio () returns priority level of process in which locaLprio is 
being executed 7 

/* start another forward_approx, but at a Iwr level of priority */ 

if intersection of each member of P t s v P t s 2 ,...P t s n with its corresponding 

member of E*,E*,...E s n is non-null then spawn_process(max_prio, 
bidirectional_approx(aug_approx_path, actuaLpath); 



METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 0681 6.0036 

24/50 

Figure 6E 

1 /* Bidirectional Approximate Reachability Narrowing 7 
2 

3 bidirectional_approx(approx_path, actuaLpath) 

4 { 

5 list rev_comps; /* list of reverse image computations to be performed */ 

6 list fwd_comps; /* list of forward image computations to be performed 7 
7 

8 /* the approx_path data type is described above 7 

9 

, 10 Sets of state for max time, P s , ,,P S ,. ^,...P S . .areshrunkbv 

5== — 1 max_timej ' Tmx_ttme,2 ' • • • x max_ time, n > ^' " Ul llx 

O 1 1 replacing them with their intersection with E, s ,E S 2 ,...E s n ; 
y 12 

S 13 For each P^_ !me j shrunken by its intersection with E? schedule it as the 

Hj 14 " j " term of any reverse image computations to be performed on its fanin by 

= 15 putting it on rev_comps; 

p 17 /* Main loop whereby overapproximate sets, between start and goal states, 

il 18 are shrunken 7 

U 19 while (non_empty?( rev_comps) OR non_empty?( fwd_comps)) 

0120 { 

P 21 /* do all rev comps, and all addi rev comps brought up by doing the 

W 22 existing rev comps, on rev comp list, where list is sorted such that 

23 rev comps, latest in time, are done first 7 

24 for each j_term on rev_comps 

25 { 

26 ijerms = state_fanin(j_term); 

27 rjerms = input_fanin(j_term); 



METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula, et al. 0681 6.0036 

25/50 

Figure 6F 

1 for each i_term on Lterms 

2 { 

3 new_i_term = rev_shrink_2pt2(i_term, j_term); 

4 if empty(new_Lterm) then return (no_path_exists); 
5 

6 if newjjerm < i_term then 

7 { 

8 replace term in approx_path.state_sets, 

9 corresponding to Lterm, with new_Lterm; 
10 

1 1 new_j_Jerms = revs_triggered?(new_i_term); 

jf 12 

bj 13 put newj_terms on rev_comps immediately, 

»" 14 and re-sort rev_comps such that the j_term's 

X 1 5 continue to be taken in latest time first order; 

Si 16 

ry 17 new_fwd_comps = 

0 18 fwds_triggered?(new_i_term); 

1 19 

D 20 put new_fwd_comps on fwd_comps 

21 immediately, and re-sort fwd_comps such that 

22 its terms continue to be taken in earliest time 
Si! 23 first order; 

Jjj 24 } /* END if new_ijerm < ijerm */ 
lu 25 } /* END for each Lterm on Lterms */ 
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Figure 6G 



1 for each r_term on r_terms 

2 { 

3 new_r_term = rev_shrink_2pt3(rjerm, jjerm); 

4 if empty(new_r_term) then return (no_path_exists); 
5 

6 if newjrjerm < rjerm then 

7 { 

8 replace term in approxjDath. input _sets, 

9 corresponding to r_term, with new_r_term; 
10 

. 1 1 newj_terms = revsjriggered?(new_r_term); 

S 13 put new_jj:erms on rev_comps immediately, 

]E 14 and re-sort rev__comps such that the jjerm's 

m 15 continue to be taken in latest time first order; 

fij 16 

fU 1 7 ne\AMwd_comps = 

O 18 fwds_triggered?(new_Merm); 

L 19 

y 20 put new_fwd_comps on fwd_comps 

ll 21 immediately, and re-sort fwd_comps such that 

^ 22 its terms continue to be taken in earliest time 

p 23 first order; 

nj 24 } /* END if new_rjerm < r_term 7 

? " 25 } /* END for each rjerm on rjerms */ 
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Figure 6H 



1 /* do all forward comps, and all addi fwd comps brought up by doing 

2 the existing fwd comps, on fwd comp list, where list is sorted such 

3 that fwd comps, earliest in time, are done first */ 

4 for each i Jerm on fwd_comps 

5 { 

6 newjjerm = fwd_shrink_2pt1 (Lterm); 

7 if empty(new_i_term) then return(no_path_exists); 
8 

9 if newjjerm < Lterm then 

10 { 

1 1 replace term in approx_path.state_sets, corresponding 

12 to Lterm, with newjjerm; 

5 13 

14 newjjerms = revs Jriggered?(newj Jerm); 

ni 15 

111 16 put newj_lerms on rev_comps immediately, and re- 
ft! 17 sort rev_comps such that the j_term's continue to be 
P 18 taken in latest time first order; 

I, 19 

h? 20 new_fwd_comps = fwdsjriggered?(newj Jerm); 
H 21 

m 22 put new_fwd_comps on fwd_comps immediately, and 

p 23 re-sort fwd_comps such that its terms continue to be 

fU 24 taken in earliest time first order; 

'* 25 } /* END if newjjerm < ijerm 7 

26 } /* END for each i Jerm on fwd_comps 7 

27 

28 }/* END while 7 

29 

30 random_seed = random(); 

31 spawn_process( max_prio; simulate(approx_path, actual_path, 

32 random_seed)); 
33 

34 } /* END bidirectional_approx 7 
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Figure 61 

1 /* Simulation Process 

2 Want to simulate one step from end of actuaLpath, where end of actuaLpath is 

3 also the only state contained in p£ x ,p£ 2 ,...p£ n of approx_path. 7 

4 simulate(approx_path, actuaLpath) 

5 { 
6 

7 /* spawn another simulation process where the random_seed has a 

8 different value to ensure a different random vector of inputs to try 7 

9 spawn_process( locaLprio() + lwr__prio, simulate(approx_path, 
1 0 actuaLpath)) 

U 1 1 

D 12 end_oLpath = geLend_of_path( actuaLpath ) 

0 13 

± 14 /* each call to random_vaIid_input returns a different randomly generated 

™J 15 set of inputs which are a member of jF^,/^,...^ 7 

pi 16 inpuLvector= random_valid_input(approx_path); 

D 17 

1 18 /* simulate FSM venfy for one step, from the time 0 state of approx_path, with 

£l 19 the randomly generated set of inputs of input__vector 7 

y s 20 nexLstate = one_stepJsm_verify(end_oLpath, inpuLvector); 

m 21 

O 22 new_actual_path = replace the "NULL_input" paired with end_oLpath in 

ftj 23 actuaLpath with input_vector; 
24 

25 new_actual„path = concatenate (next_state r NULLJnput) pair to end of 

26 existing list assigned to new_actual_path; 
27 

28 if next_state is contained in E? ,E 2 5 then end entire search and return 

29 new_actual__path to user as a concrete path from initial state to an error 

30 state, otherwise continue; 
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Figure 6 J 



1 if ( (next_state contained in , P, 5 2 ,...-P, 5 n ) && not(next_state contained in 

2 previously_found_states) ) 

3 { 

4 /* add next_state to global hash table, previously_found_states, so 

5 that next_state will not be pursued by another process */ 

6 add_state_to_table(next_state, previously_found_states); 
7 

8 new_approx_path = only has state_sets for P Q S A ,P 0 S 2 ,... P 0 s n , which only 

9 contain next_state; only has input_sets P" A ,^- Km > whicn can 

u 1 0 accept any input combination; and max_time is set to zero; 

P 11 

O 12 spawn_process( local_prio(), forward_approx(new_approx_path, 

=C 13 new_actual_path) ); 

0114 } 
W 15 



W 16 } /* END simulate 7 

y 17 
n 18 

% 19 /* locaLprio () returns priority level of process in which local_prio is being executed 

L 20 V 

m 21 local_prio() 

0 22 { 

fti 23 return priority level of process in which locaLprio just called 

24 } 
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Figure 8A 

Initial State 

The following values are determined by initializations: 
actuaLpath = ((5 01 ^ 02 ^ 03 )) 

approx_path = 
state_sets 

p s 
MM 

pS 
pS 

input_sets 

pU 
pU 

max_time = 0 

Notes: 

state_sets accept only initial state s OA ,s oa ,s 03 • 

input_sets accept any input combination 
spawn Forward Approximation, Process ID#1 
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Figure 8B 



1 Forward Approximation : Process ID#1 
2 

3 The following values are unchanged by forward_approx: 

4 actual_path = ( ( s 0A , s 0<2 , s 0 3 ) ) 
5 

6 local priority = 1 
7 

8 The following values are after having been changed by forward_approx: 

9 approx_path = 
10 state_sets 

u 1 1 p s p s 

1 1 r o,\ r 1,1 

£ 13 P Q S 3 P, 5 3 

s"T7: 

14 input_sets 

fp 15 /g i>J 

O 16 pf/ pt/ 

« U ^0,2 r l,2 

n 17 

M= 18 max_time = 1 

M=19 

P 20 Notes: 

P 21 state_sets of time 1 is an overapproximation of the reachable states 

W22 

23 input_sets at times 0 and 1 accept any input combination 

24 

25 spawn Forward Approximation, Process ID#2 
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Figure 8C 



1 Forward Approximation : Process ID#2 
2 

3 The following values are unchanged by forward_approx: 

4 actuaLpath = ( ( s 01 , s 0 2 , s 0 3 ) ) 
5 

6 local priority = 2 
7 

8 The following values are after having been changed by forward_approx: 

9 approx__path = 
10 state_sets 

yi 11 pS pS pS 

iff 1 9 pS pS pS 

0 M),2 M,2 ^2,2 

f 13 *S 
n! 14 input_sets 

h*! 1C pU pU pU 

Sj* IO M,l ^2,1 

^ 1ft P^ P* 7 P^ 7 

p IU ^0,2 M,2 ^2,2 

b 17 

N 18 max__time = 2 

M 5 19 

JJ 20 Notes: 

Cj 21 state_sets of times 0-1 are unchanged; state_sets of time 2 are an 

1 y 22 overapproximation of the states reachable from the state_sets of time 1 . 

23 

24 input_sets at times 0-2 accept any input combination. 

25 

26 spawn Forward Approximation, Process ID#3 
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Figure 8D 

1 Forward Approximation : Process ID#3 
2 

3 The following values are unchanged by forward_approx: 

4 actual_path = ((5 0J ,5 02 ,5 03 )) 
5 

6 local priority = 3 

7 

8 The following values are after having been changed by forward_approx: 

9 approx_path = 



10 


state_sets 










pS 


p s 


pS 

2,1 


pS 

3,1 


f{ 12 


pS 


pS 


^2,2 


r 3,2 


f 13 


p s 


pS 


^2,3 


p s 

r 3,3 


ffil4 


input_sets 








ru 15 


P u 

0,1 


pV 
U 


2,1 


pu 


u 16 


pU 

M),2 


pU 

1,2 


pu 

r 2,2 


pu 

r 3,2 



O 17 

H= 18 max_time = 3 

N= 19 

CP 20 Notes: 

C 21 state_sets of times 0-2 are unchanged; state_sets of time 3 are an 

I y 22 overapproximation the states reachable from the state_sets of time 2. 

23 

24 input_sets at times 0-3 accept any input combination. 

25 

26 spawn Forward Approximation, Process ID#4 (not shown) 

27 

28 spawn Bidirectional Approximation, Process ID#5 
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Figure 8E 



Bidirectional Approximation : Process ID#5 

The following values are unchanged by bidirectional_approx: 
actual_path = ((5 01 ,5 02 ^ 03 )) 

local priority = 1 

The following values are after having been changed by bidirectional_approx: 
approx_path = 



state_sets 








P s 

r o,i 


pS 


p s 


pS 


pS 
1 0,2 


ps 


pS 

r 2,2 


pS 


pS 


ps 


p s 


pS 


input_sets 








P u 

r 0,l 


pU 
1,1 


pU 
r 2,\ 


pu 

3,1 


pu 

r 0,2 


pu 

1,2 


pU 

r 2,2 


pu 

r 3,2 



max_time = 3 

Notes: 

state_sets of time 3 are narrowed to their intersection with E?,E,,...E S 

state_sets of times 1-2 may be narrowed by forward image or reverse 
image computations. 

input_sets of times 0-2 may be narrowed by reverse image computations, 
spawn Simulation, Process ID#6 
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Figure 8F 



1 Simulation : Process ID#6 
2 

3 proceeds according to the following major steps: 

4 begins with following passed parameters and values: 

5 local priority = 1 
6 

7 actual_path = ((s 01 ,s 02 ,s 03 )) 

8 

9 approx_path = 



10 

U 11 


state_sets 

pS 

r o,i 


pS 

1,1 


pS 


pS 

3,1 


1 12 
J 13 
m 14 

m 15 


pS 

pS 

1 0,3 

input_sets 

pU 
0,1 


pS 

pS 

1,3 

pt/ 
1,1 


pS 
r 2,2 

pS 

pU 

2,1 


pS 

3,2 

pS 

r 3,3 

pU 

3,1 


6 16 


pU 
r 0,2 


pU 
r \,2 


pU 

r 2,2 


pU 

r 3,2 



a 17 

18 maxjime = 3 

yh 1 9 

m 20 spawn a Simulation, with the old parameters, Process ID#7 (not shown in 

O 21 Figure 8) 

m 22 

23 A one step simulation of FSM venfy is performed to produce a next_state. A 

24 next_state s hl ,s l2 ,s i3 is found by using a randomly selected input 

25 combination contained in P" x , P 0 U 2 in combination with s 0 , , j 02 , j 03 . 



METHOD AND APPARATUS FOR FORMALLY CONSTRAINING 
RANDOM SIMULATION 

J.H. Kukula.etal. 06816.0036 

38/50 

Figure 8G 



From the parameters passed to simulation, the following new parameters 
are determined: 

new_actuaLpath = ( (s 01 ,s 02 ,s 03 ), (s U9 s h29 s^) ) 

new_approx_path = 
state_sets 

p s 

0,1 

pS 

r 0,2 

pS 

input__sets 

p u 

0,1 
pU 

max_time = 0 

Notes: 

The column of state_sets only contains s hl ,s l2 ,s h3 . 

The column of input_sets accepts any input combination, 
spawn a Forward Approximation, with the new parameters, Process ID#8 
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Figure 8H 



1 Forward Approximation : Process ID#8 
2 

3 The following values are unchanged by forward_approx: 

4 actual _path = ( ( s 0l , s oa , s 0 3 ), ( s v , s u , s l 3 ) ) 
5 

6 local priority = 1 

7 

8 The following values are after having been changed by forward_approx: 

9 approx_path = 

10 state_sets 

U 11 ps p s 

z _ o,i r \,\ 

1 13 /»; 

«j 14 input_sets 

V r 0,2 r l,2 

ft 

a i7 

M 18 maxtime = 1 

U 19 

yi 20 Notes: 

O 21 spawn Forward Approximation, Process ID#9 
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Figure 81 

1 Forward Approximation : Process ID#9 
2 

3 The following values are unchanged by forward_approx: 

4 actual_path = ( {s 01 ,s 02 ,s 03 ), (s n ,s l2 ,s 13 ) ) 
5 

6 local priority = 2 

7 

8 The following values are after having been changed by forward_approx: 

9 approx_path = 



10 


state_sets 






11 


pS 

r o,i 


pS 

1,1 


pS 

2,1 


12 


pS 
r 0,2 


pS 

1,2 


pS 


13 


pS 


pS 
^1,3 


pS 


14 


input_sets 






15 


pU 
0,1 


pU 


pU 


16 


pU 


pU 


pU 
r 2,2 


17 








18 


maxtime = 


2 




19 









20 Notes: 

21 spawn Forward Approximation, Process ID#14 (not shown) 
22 

23 spawn Bidirectional Approximation, Process ID#12 
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Figure 8J 

1 Bidirectional Approximation : Process ID#12 
2 

3 The following values are unchanged by bidirectional_approx: 

4 actual_path = ( ( j 0J , s 02 , s 03 ), ( s v , s X2 ,s 13 )) 
5 

6 local priority = 1 

7 

8 The following values are after having been changed by bidirectional_approx: 



9 


approx_path = 






10 


state_sets 






1*11 


pS 




pS 

2,1 


S 12 


pS 


Pi 


pS 

r 2,2 




p s 

1 0,3 


pi 


pS 


f! 14 


input_sets 






m 15 


p u 


Pu 


pV 

2,1 


O 16 


pu 


pi 


pu 

r 2,2 



18 max_time = 2 

U 19 

m 20 Notes: 

'G 21 state_sets of time 2 are narrowed to their intersection with E? ,E*...E S . 
? ? 22 

23 state_sets of time 1 may be narrowed by forward image or reverse image 

24 computations. 
25 

26 input_sets of times 0-1 may be narrowed by reverse image computations. 
27 

28 spawn Simulation, Process ID#1 3 
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Figure 8K 



1 Simulation : Process ID#13 
2 

3 proceeds according to the following major steps: 

4 begins with following passed parameters and values: 



5 


local priority = 1 






6 








7 


actual_path = ((s 01 ,s 02> 


•^0,3 )> ( 


8 








9 


approx_path = 






10 


state_sets 






Id: 11 


pS 
r 0,l 


pS 


pS 

2,1 




pS 
1 0,2 


p s 

1,2 


pS 

2 2,2 


^ 13 


pS 

x 0,3 


pS 

U 


pS 

2,3 


i: 14 

w 15 


input_sets 






0,1 


pU 
1,1 


pU 

2,1 


O 16 


pU 


pt/ 

1,2 


pf/ 
'2,2 


a 17 








M= 18 


maxtime = 


2 





{* 19 

01 20 spawn a Simulation, with the old parameters, Process ID#15 (not shown in 

D 21 Figure 8) 

fU22 

23 A one step simulation of FSM vertfy is performed to produce a next_state. A 

24 next state s u ,s 22 ,s 23 is found by using a randomly selected input 

25 combination contained in P" A ,P£ 2 in combination with s u ,s h2 ,s hi . 
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Figure 8L 



From the parameters passed to simulation, the following new parameters 
are determined: 

new_actual_path = ( (s ol ,s oa ,s 03 ), (s u ,s ia ,s h3 ), (s v ,s 2a ,s v ) ) 

new_approx_path = 
state_sets 

pS 

0,1 

pS 
r 0,2 

pS 

input_sets 

p u 

0,1 
pU 

max_time = 0 

Notes: 

The column of state_sets only contains s 2X ,s 22 ,s 2l . 

The column of input_sets accepts any input combination, 
spawn a Forward Approximation, with the new parameters, Process ID#16. 
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Figure 8M 





1 

2 


Forward Approximation: Process ID#16 




3 


The following values are unchanged by forward_approx: 




4 

• 

5 


actual_path = ( (s 0 „s 02 ,s 03 ), (s 1A ,s 12 ,s l3 ), (s 2l ,s 2a ,s 23 ) ) 




■u 
6 
7 


local priority = 1 






8 


The following values are after having been changed by forward approx: 




9 


approx_path = 






10 


state_sets 




- 


11 


pS 
r 0,l 


p s 


S; 


12 


pS 
r 0,2 


pS 

1,2 




13 


pS 


pS 

1,3 


I 


14 


input_sets 






15 


r o,i 


pU 
1,1 


C: 


16 


pU 
r 0,2 


pU 
r l,2 




17 






18 


maxtime = 


1 




19 






F : ' : " 


20 


Notes: 






21 


spawn Bidirectional Approximation, Process ID#17 
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Figure 8N 

1 Bidirectional Approximation : Process ID#17 
2 

3 The following values are unchanged by bidrectional_approx: 

4 actual_path = ( (s^s^s^), (s lA ,s l2 ,s l>3 ), (s 2tl ,s 22 ,s 23 ) ) 
5 

6 local priority = 1 

7 

8 The following values are after having been changed by bidirectional_approx: 

9 approx_path = 

10 state_sets 

11 pS pS 

H» 0,1 M,l 

| 12 /£ P;l 

% 13 P 0 S 3 P* 

0 1 14 input_sets 

ni u 

fi 16 P a 

« IU ^0,2 M,2 

jL, 17 

rf 1 8 max_time = 1 

Li 19 

Jj 20 Notes: 

O 21 state_sets of time 1 are narrowed to their intersection with E? ,E*,...E s n . 
T« 22 

23 state_sets of time 0 cannot be further narrowed by forward image or 

24 reverse image computations. 
25 

26 input_sets of times 0 may be narrowed by reverse image computations. 
27 

28 spawn Simulation, Process ID#18 
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Figure 80 



1 Simulation : Process ID#18 
2 

3 proceeds according to the following major steps: 



4 begins with following passed parameters and values: 

5 local priority = 1 
6 

7 actual_path = ( ( s 0J , s 02 , s 0} ), ( s, , , s h2 , s, 3 ), ( s 2l , s 22 , s 2 3 ) ) 

8 

9 approx_path = 

10 state_sets 

M- ii pS p s 

Q 1 1 0,1 M,l 

5 12 p£ 2 p£ 

J 13 p£ P* 3 

fU 14 input_sets 

16 p u p u 

O 17 

1 8 max_time = 1 

C 19 

t 20 spawn a Simulation, with the old parameters (not shown in Figures 7 or 8) 

8 L:: 

" 22 A one step simulation of FSM verify is performed to produce a next__state. A 

23 valid next state s 3J , ^2,^,3 is found by using a randomly selected input 

24 combination contained in P<£,P<£ in combination with ^ 1} 5 2[2 ,5 2)3 . 
25 

26 Since new end of path s 3yl ,s 32 ,s 33 is in E* \El,...E s n , end search and return 

27 as value of new_actual_path: ( K,i ^0,2^0,3)' W\> s \,i> s \*)> Ki ^2,2 ^2,3 )> 

28 ( ! , .S3 2 j ^3 3 ) )■ 
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Figure 10 



Define set of error or 
goal states 



Select an initial state 
of DUT as a start 
state and add initial 
state to an output 
sequence of states 



Determine 
under-approximated 
path from start state 



1000 



1001 





Determine 
overapproximated 
path from start state 
to an error state(s) 


I ► 




r 



1002 



1003 



1004 



Update output 
sequence of states 
and the start state 



1005 



NO 



'output sequence*" 
comprise a goal 
state? 



YES 



( End ) 
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Figure 11 



^From Step 1001^ 



Figure 10 
Step 1002 




Applying forward 
approximation from a 
start state until a 
stepping stone matrix 
is produced that 
comprises a goal 
state 



1100 



Apply narrowing 
equations, to sets of 
stepping stone 
matrix, to reduce the 
overapproximation 



1101 



^ To Step 1003^ 
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(From Figure 1V\ 
Step 1100 J 



Applying forward 
narrowing equation 
until list of scheduled 
forward narrowings is 
exhausted 



YES 



Applying reverse 
narrowing equations 
until list of scheduled 
reverse narrowings is 
exhausted 



1200 




1201 



1202 




1203 



(To Figure 10, Step\ 
1003 J 



